Charlie looks at doxing, the different ways it can affect your organisation and how you should prepare.
The short answer is yes. The long answer is also yes, but after seeing the word in a cyber article I was reading this week, I thought I would do a little more research into what it is and share this with you in today’s bulletin. I was not familiar with the word and at first I thought it was to describe when hackers auction or try and sell information during a cyber-attack, with the threat they will release it to all if a ransom is not paid. Doxing is actually much wider than this and covers the release of information, either accidentally or more often intentionally for the purpose of ‘harassment, online shaming, harm, extortion, coercion, aiding law enforcement or vigilante versions of justice’.
According to Nicholas Fearn, who wrote in Computer Weekly in August 2020: ‘Ransomware is one of the most common types of cyber threat, targeting a business every 14 seconds and costing $11.5bn in 2019 alone’. He goes on to say that criminals are further trying to increase the money from each hack by ‘double extortion’. They first use ransomware to lock the computer of the victim and ask for a ransom to get it back. Secondly, they choose targets where they know that the release of their data could be embarrassing and then threaten to release the data (doxing) if a further ransom is not paid.
A classic case of this is the Entertainment and Media lawyers based in New York, Grubman, Shire, Meiselas & Sack, who in May 2020 were hacked and the hacking group REvil stole 756 gigabytes of confidential documents from their servers, including contracts and personal emails from a number of Hollywood and music stars. They then went on to try and ransom the access to all documents for $42m. This ‘offer’ was withdrawn after the lawyers refused to pay and according to Computer Weekly, they started a 3-month auction in July for data relating to pop stars Mariah Carey, Nicki Minaj, and basketball player LeBron James with a starting price of $600,000 for each lot. It will be interesting to see how this one progresses. It is also interesting that their website is still not back up after the hack and they have had a single holding page for the last 5 months.
Double extortion is only a small part of doxing, the more prevalent use of doxing is the release of people’s personal information, done so for a number of different reasons. This could be by accidental release. People who had spoken out against personal privacy to the Presidential Advisory Commission on Election Integrity had their details leaked accidentally by the USA administration, as the 112-page document with their comments were released but their personal details were not redacted and so people could see their email addresses and even home addresses.
Often the information of people whose personal details are published on websites or social media channels are obtained from publicly available information on the internet and social media, not from hacks. An example of this is the Curt Schilling, a former Major League Baseball player, who in March 2015, took revenge against the people who posted sexually offensive comments about his daughter on Twitter. Schilling researched the trolls’ Twitter profiles and by the using information available on the internet doxed them by posting their real identities online. As a result, one person got fired from his job, and another was suspended from his community college. Several others who had also been trolling his daughter wrote personal apologies to her online.
This case could be considered a beneficial use of doxing, but often those doxing have got it wrong and innocent people have been accused of things they weren’t involved in. Their information can be shared thousands of times and they have no opportunity for redress. In 2014, the hacking group Anonymous hacked two KKK Twitter accounts and then said they would release a list of KKK members. On the list were four Senators and five Mayors who were not at all involved in the far-right groups, who had to then take to social media to explain that they were not KKK members and that the group had made a mistake. The posting of names, addresess and contact information can be used for intimidation, revenge or harassment. A famous example of this is the Nuremberg files. This was a list posted by the anti-abortion activist Neal Horsley in the late 90’s, which provided the names and addresses of abortion providers. He labelled this as a hit list and eight of those on the list have since been killed. When they died their names were scored off the list. The list was taken down after a lengthy court case where the courts had to balance freedom of speech against harassment.
What should we do in order to prepare for this threat?
- Conduct a data risk assessment to understand what your exposure is to double extortion. This previous bulletin explains how you can conduct a data risk assessment to understand what data hackers would have access to and what the possible consequences are. Once you understand your exposure, carry out an exercise to look at different scenarios of how you would respond if you suffered this type of incident. War-gaming is a good format of exercise for exploring this.
- Look online and investigate what contact information of your senior managers is available online or which of your staff in a sensitive position could be open to extortion. Depending on what is accessible, take steps to reduce the amount of data available and educate all members of your organisation on the threat and how to limit the amount of data they post online.
- Think through how you would protect, support, and respond if your senior managers or any other member of staff’s personal information was released online.
Doxing has been around in various forms for a long time. Some actions people may feel are justified, such as the outing of KKK members or Neo-Nazis, whist other cases most would agree are completely unjustified, such as the release of personal information from 7,000 USA law enforcement officers. For those caught out and falsely accused in a doxing, there is no redress of the deformation in the courts and they have to manage and restore their reputations themselves. For us in the business continuity profession, we should recognise doxing as a possible threat and take appropriate steps to prepare our organisation to respond to a potential event.